IETF Logo Mail Archive

Re: [lisp] Let's review crypto in lisp-crypto

Dino Farinacci <farinacci@gmail.com> Tue, 03 November 2015 02:18 UTC

Return-Path: <farinacci@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D6C81ACDA5 for <lisp@ietfa.amsl.com>; Mon, 2 Nov 2015 18:18:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_BACKHAIR_52=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1QGHonXcTf3W for <lisp@ietfa.amsl.com>; Mon, 2 Nov 2015 18:18:15 -0800 (PST)
Received: from mail-pa0-x22d.google.com (mail-pa0-x22d.google.com [IPv6:2607:f8b0:400e:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C79D1ACD92 for <lisp@ietf.org>; Mon, 2 Nov 2015 18:18:15 -0800 (PST)
Received: by pacfv9 with SMTP id fv9so3822009pac.3 for <lisp@ietf.org>; Mon, 02 Nov 2015 18:18:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=dHeuuPgzEuJGHs/KYVEvq6eamjM7A1Df2OHd6d/+lUs=; b=zVmhp4KHlWKOsAdQ6AjUon0EsDsSkFUlzkLs7CRuM+TLed0YiYMwrlvMkp2RH+iXug B2gZ1280Iu1Sy687CPwvn61gPPWtm+XRWWdEUWnxc8ehlsia8AAwSFzDww5gTNEr/AU7 kuolXXJFDqXEM+vIfYS79XV2eprOeUJc3Uk0rRAzZrmHpfe/vURycE5qeP+S85JNQTk7 lgsjET9sWC8JWUBbEvzmyI2iDx8FHp9TmTBN+rX/pSM/JacJT1XF01A/3baZXRxw9kJ/ nD6I0/JkchpqNowzYzEc4BxzaJwvKGhynX6WpqW+rM7NFEkA5bNV8dW0gJnRKAIiTLwO AE4A==
X-Received: by 10.66.62.198 with SMTP id a6mr31118038pas.68.1446517094943; Mon, 02 Nov 2015 18:18:14 -0800 (PST)
Received: from t20010c400000303240265176242d4849.v6.meeting.ietf94.jp (t20010c400000303240265176242d4849.v6.meeting.ietf94.jp. [2001:c40:0:3032:4026:5176:242d:4849]) by smtp.gmail.com with ESMTPSA id zn9sm26523873pac.48.2015.11.02.18.18.12 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 02 Nov 2015 18:18:13 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Dino Farinacci <farinacci@gmail.com>
In-Reply-To: <20151102103946.GA4014@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Mon, 02 Nov 2015 18:18:08 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <7E1DB803-830D-46EC-A49F-FDB2618D14EB@gmail.com>
References: <20151028141703.GA9632@LK-Perkele-V2.elisa-laajakaista.fi> <1C855BE8-70D6-4604-AFED-4298AAD6186C@gmail.com> <20151101095325.GB13377@LK-Perkele-V2.elisa-laajakaista.fi> <0A35A9D5-B44E-4A00-B680-8B3599575E2C@gmail.com> <20151102103946.GA4014@LK-Perkele-V2.elisa-laajakaista.fi>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/lisp/ZYOKkpEx8LAnLeyyTV7-iufGF-0>
Cc: LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] Let's review crypto in lisp-crypto
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2015 02:18:17 -0000

Understand your comemnts. I’ll create a -03 with changes that reflect your comments and turn it around ASAP so you can make sure I addressed your comments.

Expect it in the next few days but not before today’s working group meets.

Dino

> On Nov 2, 2015, at 2:39 AM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> 
> On Sun, Nov 01, 2015 at 08:42:44PM -0800, Dino Farinacci wrote:
>> 
>>> On Sun, Nov 01, 2015 at 01:13:56AM -0700, Dino Farinacci wrote:
>>>> 
>>>>> - Ciphersuite 1 uses 1024-bit Diffie-Hellman, which is too weak
>>>>> (after you have cracked one key (and it doesn't take that much,
>>>>> especially if you can throw ASICs at the problem), you can crack
>>>>> each subsequent one in a few CPU minutes. With 2048-bit DH, at
>>>>> least the first key tends to be too hard, and with ECDH, tricks
>>>>> like this don't work).
>>>> 
>>>> Yes, both Brian and I replied that we were using this more for
>>>> experimentation on low-powered or CPU challenged devices. We will
>>>> not recommend its use. It’s just there for implementations to start
>>>> with something. But havind said that, I would like to recommend
>>>> the smaller keys that come along with chacha20/poly1305 so maybe
>>>> the subject is moot. 
>>> 
>>> I think that even having low-security options is a problem.
>> 
>> How about we change the Cipher Suite definitions TO this (and address multiple of your comments):
>> 
>>   Cipher Suite 0:
>>     Reserved
>> 
>>   Cipher Suite 1:
>>     Diffie-Hellman Group: 2048-bit MODP [RFC3526]
>>     Encryption:           AES with 128-bit keys in GCM mode [AES-GCM]
>>     Integrity:            HMAC-SHA1-96 [RFC2404]
>> 
>>   Cipher Suite 2:
>>     Diffie-Hellman Group: 3072-bit MODP [RFC3526]
>>     Encryption:           AES with 128-bit keys in GCM mode [AES-GCM]
>>     Integrity:            HMAC-SHA1-96 [RFC2404]
>> 
>>   Cipher Suite 3:
>>     Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519]
>>     Encryption:           AES with 128-bit keys in GCM mode [AES-GCM]
>>     Integrity:            HMAC-SHA1-96 [RFC2404]
> 
> AES-GCM is AEAD algorithm, so it also covers the integerity.
> 
>>   Cipher Suite 4:
>>     Diffie-Hellman Group: 256-bit Elliptic-Curve 25519 [CURVE25519]
>>     Encryption:           Chacha20-Poly1305 [CHACHA-POLY]
>>     Integrity:            Covered under Encryption Algorithm
>> 
>> Please ack before we take action. And would like Brian (or anyone else
>> in the WG) to weigh in on this as well.
>> 
>>>>> - The NIST SP800-108 KDF handles the counter and length internally,
>>>>> those are not part of the context input.
>>>> 
>>>> You should point to text so we know where in the spec you are
>>>> commenting against. It is hard to get context from your comments.
>>> 
>>> Section 5 in -02. The listing for "Context" (meaning the fields
>>> in context).
>> 
>> I think we are saying we are building a context similar to the NIST
>> standard but not using it. Brian needs to comment here.
> 
> What I'm saying is that you seem to be duplicating steps NIST KDF does
> internally.
> 
>>>> We use the source RLOC and the Map-Request nonce to identify the association.
>>> 
>>> That's does not create identifier suitable for comparing between
>>> endpoints for authentication.
>> 
>> LISP-SEC is used as well. See the Security Considerations section.
>> I think we have this covered.
>> 
>>> You mean that A (and B) is supposed to use different DH keys for
>>> their roles as ITR and ETR (if reusing keys, like at least some
>>> implementations are going to do)?
>> 
>> Yes, that is the way we described it by talking about encryption
>> unidirectionally from ITR to ETR.
> 
> I haven't found the security consideration (that if the same router
> is ITR and ETR, it MUST NOT reuse DH keys for both purposes).
> 
> And I'd rather not leave such things implicit.
> 
>>> - IV is incremented for every packet? If using CBC mode, predictable
>>>>> IVs are bad (AEAD algorithms do deal with predictable IVs, but not
>>>>> repeating IVs).
>>> 
>>> I mean, the document seems to say both IVs are randomly generated and
>>> incremented for every packet (which seem to be mutually
>>> contradictionary).
>> 
>> I see. We can do one versus the other. That is, use random IVs. Is that okay?
> 
> No the problem is:
> - CBC IVs MUST be random.
> - 12-octet-nonce AEAD IVs MUST NOT be random.
> 
> The reason for latter is that 96 bit randoms repeat too soon, and
> AEAD algorithms usually break in catastrophic ways if the nonce
> ever repeats (basically all security lost in this case).
> 
>>> 2) Invoke the AEAD encryption with:
>>> - Key set to encryption-key
>>> - Nonce set to the IV (truncated to N_MAX octets if N_MAX<16, padded
>>> with zeroes in the end to N_MIN octets if N_MIN>16).
>>> - AD set to LISP header plus added IV field (the parts of packet marked
>>> as ICV but not encrypt).
>>> - Plaintext set to the packet payload.
>> 
>> Yes, that is what we do.
> 
> If you have IV size be algorithm-dependent, just set the nonce to the
> IV (no padding, no truncation).
> 
>> 
>>> And decryption:
>>> 
>>> 1) Strip the outer IP and UDP headers.
>>> 
>>> 2) Strip tag encryption concatenated  from packet payload (if any).
>>> 
>>> 3) Invoke the AEAD decryption with:
>>> - Key set to encryption-key (from local key-cache)
>>> - Nonce set to the IV field contents (truncated to N_MAX octets if
>>> N_MAX<16, padded with zeroes in the end to N_MIN octets if N_MIN>16).
>>> - AD set to LISP header plus added IV field (the parts of packet marked
>>> as ICV but not encrypt).
>>> - Ciphertext set to the packet payload.
>> 
>> But we don’t use the data-plane nonce for this. Because it may be
>> used for other LISP data-plane features. We use the control-plane
>> nonce which doesn’t show up on the network very often (only when
>> Map-Requests and returning Map-Replies are sent). So this is better
>> for security.
> 
> No, this nonce is the nonce for crypto algorithm and is per-packet.
> The LISP packets transport it in "IV" field.
> 
>>> There is also AEAD_AES_128_GCM, which being AEAD algorithm, is used
>>> similarly to AEAD_CHACHA20_POLY1305. The above algorithms work with
>>> it too.
>> 
>> Does that mean we don’t need an ICV if we used AES-GCM? Similar to
>> your chacha20-poloy1305 comment?
> 
> Yes, it means that. AES-GCM internally does the equivalent of the ICV
> (called "tag" there).
> 
> 
> -Ilari

v2.23.0 | Report a Bug | By Email